dotdefender User Guide Applicure Web Application Firewall

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "dotdefender User Guide Applicure Web Application Firewall"

Transcription

1 dotdefender User Guide Applicure Web Application Firewall

2 Table of Contents Chapter 1 Introduction Overview Components Specific Windows components Specific Linux/Unix components Benefits Organization of this Guide... 8 Chapter 2 Getting Started Using the Administration Console Stopping and Starting dotdefender Applying Changes Workflow Chapter 3 Managing Logs Overview Viewing policy changes in the audit log file Configuring the dotdefender Log Database Viewing the dotdefender Log Database in the Log Viewer Opening the Log Viewer Filtering the Log Searching for an Event Backing Up the dotdefender Event Database (Windows) Backup dotdefender Event Database Backup dotdefender Event log from the Windows Event Viewer Backing Up the dotdefender Event Database (Linux) Backup of dotdefender configuration/rules (Linux) Backup of dotdefender Configuration/rules (Windows) Identifying False Positives Chapter 4 Preventing Information Leakage Information Leakage Overview Leakage Prevention Best Practices Rules Leakage Prevention Custom Rules Applicure 2 of 2

3 Chapter 5 Configuring Website Security Profiles Website Security Profiles Overview Modifying a Website Security Profile Configuring Operating Mode Configuring Session Protection Import/Export security profile Configuring the Error Page Configuring Advanced Settings Server Masking Upload Folders Protection Chapter 6 Configuring Patterns and Signatures Patterns and Signatures Overview Rule Categories Enabling/Disabling a Rule Category Configuring Patterns Modifying Best Practices Adding User-Defined Rules for incoming requests Searching in Client Remote Address Searching in URI Searching in User-Agent header Searching in Commonly Attacked Fields of HTTP Requests Searching in Custom Parameters of XML/SOAP Elements Adding User-Defined Rules for responses Managing the Rules Viewing the User-Defined Rules Enabling/Disabling a User-Defined Rule Deleting a User-Defined Rule Editing a User-Defined Rule Managing Signatures Chapter 7 Configuring Global Settings (Windows) Enabling / Disabling logging to Windows Event Logs Enabling / Disabling NAT Support Updates Chapter 8 FAQs and Troubleshooting FAQs How do I allow an IP address, or a range of IP addresses? How do I identify and control access to the Website, according to Windows users (using the Remote User field)? Applicure 3 of 3

4 Introduction Overview How do I enable updates to work through a firewall? How do I change the database size limit (Windows)? How do I change the database size limit (Linux)? What is a bad User-Agent and why does dotdefender block certain browsers? How do I let one "good" User-Agent pass through? How do I remove the database when it is taking up too much space? What is a Proxy attack? How do I turn a False Positive into a Whitelist Rule? Does a User-Defined rule still undergo inspection? I am upgrading. How do I back up the rule set (Windows)? I am upgrading. What should I backup (Linux)? How do I clear the Event Log? I have scripts on a Website that are blocked for usage by end-users. How do I allow the scripts to run? I have a content upload page, and I cannot upload new content Troubleshooting System Requirements Chapter 9 Regular Expressions POSIX Basic Regular Expressions POSIX Extended Regular Expressions Chapter 10 Appendix Specific Windows files and features Managing dotdefender Events in the Windows Event Viewer dotdefender Windows Event logs Overview Viewing Applicure Events Viewing dotdefender Audit Events Setting the Event Log Size Saving the Applicure Windows Event Log Clearing the Applicure Windows Event Log Manually creating dotdefender virtual directory Creating dotdefender virtual directory in a specified web site Adding a new Web Service Extension Specific Linux files and features Adding websites to server Applicure 4 of 4

5 1 Introduction This chapter introduces the Applicure dotdefender application. It contains the following sections: Overview Components Benefits Organization of this Guide 1.1 Overview dotdefender is a software-based web application firewall installed on Apache or Microsoft IIS Server. dotdefender provides robust protection against attacks targeting web applications. dotdefender utilizes three security engines to achieve optimal protection: Pattern Recognition: This engine uses rules to detect certain patterns that could indicate an attack and deals with the attack according to configuration. Session Protection: The Session Protection security engine focuses on the user session level, dealing with session spoofing and flooding of the server with HTTP requests (Denial of Service). Signature Knowledgebase: This engine uses signatures to detect known attacks, such as vulnerability scanners, bots, site-scrapers, harvesters, and leeches. Malicious File Upload: Protects upload folders on the server against malicious file uploads. Server Masking & Information Leakage: Camouflages server and application against sensitive information leakage Applicure 5 of 5

6 Introduction Components 1.2 Components dotdefender includes the following applications: Administration Console: Enables you to configure and manage dotdefender: Global Settings (see Configuring Global Settings) Session Protection (see Configuring Session Protection) Website Security Profiles (see Configuring Website Security Profiles) Upload Folders Protection (see Upload Folders Protection) Outgoing (egress) Inspection (see Preventing Information Leakage) Patterns and Signatures (see Configuring Patterns and Signatures) Logs (see Managing Logs). Log Viewer: Displays information about detected attacks, such as originating IP, timestamp, type of attack, and target locations (see Managing Logs) Specific Windows components dotdefender writes security events to the following file: aclogsvc.ddb. Typically located in: C:\Program Files\Applicure\dotDefender for IIS\etc\ dotdefender adds the following branches to the Windows Event log: Applicure: Records security events. dotdefender Audit: Records dotdefender ISAPI filter status. dotdefender comprises the following services: dotdefender Audit Service: Watchdog that polls the filters and writes their current status. dotdefender Log Service: Manages the logs. dotdefender installs the following ISAPI filters: dotdefender(servermasking) dotdefender(responsefilter) dotdefender(urlforwarder) dotdefender(cookietampering) Applicure 6 of 6

7 Introduction Specific Linux/Unix components dotdefender writes security events to the following file: dotdefender_db.sqlite. Located in: /usr/local/appcure/log/ dotdefender comprises the following daemons: dotdefender License daemon: Manages license. dotdefender Log daemon: Manages the logs. dotdefender installs the following module: dotdefender Apache module Applicure 7 of 7

8 Introduction Benefits 1.3 Benefits dotdefender provides the following features and benefits: Lightweight and non-intrusive. Detailed verbose logs, yet enabling you to see the big picture. Cross-platform IIS and Apache. Centrally managed. Rapidly deployed and minimal maintenance required. Scalable and suited to shared hosting environments. Full-blown web services API. 1.4 Organization of this Guide This guide provides the installation and operation instructions for dotdefender, and serves as a resource for types of web attacks and troubleshooting procedures. It is composed of the following chapters: Chapter 1 - Introduction (this chapter), introduces dotdefender. Chapter 2 - Getting Started, describes the system requirements, download and installation process, how to stop and start dotdefender and the typical dotdefender workflow. Chapter 3 - Managing Logs, describes the types of logs, the log settings and how to view logs. It also discusses the handling of false positives. Chapter 4 Preventing Information Leakage, describes how dotdefender protects your sensitive data from proliferation. Chapter 5 - Configuring Website Security Profiles, describes how to configure the Website profiles. Chapter 6 - Configuring Patterns and Signatures, describes how to configure the Patterns and Signatures. Chapter 7 - Configuring Global Settings, describes how to configure server wide settings. Chapter 8 - FAQs and Troubleshooting, details a variety of frequently asked questions and troubleshooting information. Chapter 9 - Regular Expressions, a brief tutorial on writing Regular Expressions. Chapter 10 Appendix, Operating System specific files and features Applicure 8 of 8

9 2 Getting Started This chapter contains the following sections: Using the Administration Console Stopping and Starting dotdefender Applying Changes Workflow Applicure 9 of 9

10 Getting Started Using the Administration Console 2.1 Using the Administration Console This section describes how to access the Administration Console and the toolbar. For additional information about the Administration Console, see Configuring Website Security Profiles. Linux/Unix: In the installation process, an alias is created in the Apache configuration file. dotdefender Administration Console will be accessible through all sites at the Alias specified in the installation process. Windows: In the installation process, a virtual directory is created in the Default Website. dotdefender Administration Console will be accessible at the Default Website under the dotdefender directory. To modify virtual directory location, or create the directory manually, see Manually creating dotdefender virtual directory. To access the Administration Console: Linux/Unix: Browse to (Default user name admin. Password is created in the installation process) Windows: Browse to Note: If dotdefender Administration Console is not accessible, browse to the file dotdefender.html in the dotdefender/alias directory The dotdefender Administration Console window appears. The left pane shows a tree structure where you can select various branches. The right pane shows configuration options for each branch. The following icons appear in the top toolbar: Icon Function Applicure 10 of 10

11 Getting Started Icon Function Applies changes Starts dotdefender Stops dotdefender Opens the Log Viewer Go to previous page Go to next page 2.2 Stopping and Starting dotdefender By default, dotdefender is active immediately upon installation (assuming that you have loaded your license and that the license has not expired). All websites and applications on the server are identified and assigned the Default Security Profile setting. The default Operation Mode setting is Protection, and thus active protection is applied to all websites configured on the web server. There may be some occasions where you need to stop dotdefender. Note: When dotdefender stops, it becomes inactive on the web server where it is installed. Consequently, dotdefender does not perform application protection. When disabled, dotdefender does not use server resources and does not affect server performance. To stop dotdefender: 1. Click in the dotdefender toolbar. The following window appears. Applicure 11 of 11

12 Getting Started Applying Changes 2. Click Close. 3. dotdefender is deactivated as indicated by the grayed-out Stop button: To start dotdefender: 1. Click in the dotdefender toolbar. The following window appears. 2. Click OK. dotdefender is active. 2.3 Applying Changes If you modify settings in the Administration Console, the modifications will take effect only after applying the changes. To apply changes: 1. Click in the dotdefender toolbar. 2. A pop-up message confirms successful submission of the settings. Applicure 12 of 12

13 Getting Started 3. Click Close. Note: If you do not apply the changes and close the Administration Console, the new settings will be ignored and deleted. Applicure 13 of 13

14 Getting Started Workflow 2.4 Workflow The following workflow is recommended: Applicure 14 of 14

15 Getting Started It is recommended that you initially use dotdefender with the default settings. In the Administration Console, set the mode to Monitoring and ensure that the dotdefender log is enabled. After time has elapsed, analyze the logs. If you believe that the cause of a triggered alert is a legitimate application activity, follow the instructions in Identifying False Positives. In the Administration Console, set the mode to Protection. This is an iterative process. Continue to monitor logs and Reference IDs received by the users on an ongoing basis, and make the necessary adjustments to the configuration. Applicure 15 of 15

16

17 3 Managing Logs This chapter contains the following sections: Overview Viewing policy changes in the audit log file Configuring the dotdefender Log Database Viewing the dotdefender Log Database in Log Viewer Identifying False Positives 3.1 Overview There are three types of logs: Applicure log database: Security events, viewed in the dotdefender Log Viewer. Policy change log: Records all changes made to policies via the Administration Console (Windows only): Events logged in two branches in the Windows Event Viewer: Applicure: Records security events. dotdefenderaudit: Records dotdefender filter status. 3.2 Viewing policy changes in the audit log file The changes made via dotdefender Administration Console are recorded in detail, according to the PCI regulation, within tab-separated audit log files. Windows: submit.log contains the most recent change made submit.bak contains the last 1000 changes. Applicure 17 of 17

18 Managing Logs Configuring the dotdefender Log Database Linux/Unix: audit.log The files may be viewed under the following location: Windows: \Program Files\Applicure\dotDefender for IIS\etc\ Linux/Unix: /usr/local/appcure/log/ 3.3 Configuring the dotdefender Log Database You can enable/disable the log for all of the websites using the Default Security Profile, and separately for each Website that does not use the Default Security Profile. Windows: The aclogsvc.ddb log file is located in the following folder: \Program Files\Applicure\dotDefender for IIS\etc Linux/Unix: The dotdefender_db.sqlite log file is located in the following directory: /usr/local/appcure/etc This file has a default maximum of 60,000 events for Linux/Unix and 15,000 event for Windows. This value is user-definable. A user-configurable threshold size can trigger a user-defined action (see How do I change the database size limit?).the database can be copied or moved to a different location and opened in the Log Viewer. Applicure 18 of 18

19 Managing Logs To enable the log for the websites using the Default Security Profile: 1. In the left pane of the Administration Console, select Default Security Profile. The profile settings appear in the right pane. 2. Expand the Advanced Settings section. 3. Select the Write to Log option to enable logging for all websites that use the Default Security Profile. 4. Click to apply the changes. Applicure 19 of 19

20 Managing Logs Viewing the dotdefender Log Database in the Log Viewer To enable the log for a Website not using the Default Security Profile: 1. In the left pane of the Administration Console, select required Website Security Profile. The right pane opens the profile settings area. 2. Expand the Advanced Settings area. 3. Select the Write to Log option to enable logging for this Website. 4. Click to apply the changes. 3.4 Viewing the dotdefender Log Database in the Log Viewer The Log Viewer displays information about countered attacks. You can drill down for more detailed information. This section includes the following sections: Applicure 20 of 20

21 Managing Logs Opening the Log Viewer Filtering the Log Searching for an Event Deleting the dotdefender Log Database File Opening the Log Viewer To open the Log Viewer: Click the Log Viewer tab. The Log Viewer window appears. Select a site in the left pane to see site specific events or select Global Events to see all events for the server. The log shows results for blocked sites, which are displayed in two lists: Recent events for all sites and total attack count for all sites. Note: Ensure that you are viewing the results for the correct dates. For additional information, see Viewing the dotdefender Log. The following icons are available on the Log Viewer toolbar: Applicure 21 of 21

22 Managing Logs Viewing the dotdefender Log Database in the Log Viewer Icon Function Previous view Next view Search for events Filtering the Log You can filter the view for countered attacks per site or view all sites. To filter the log: 1. In the Log Viewer window, under each security profile in the left pane, click one of the following: Events by category: To view all attack categories for a specific site. Events by IP Address: To view all client IP Addresses which were blocked by dotdefender. Applicure 22 of 22

23 Managing Logs 2. To drill down and filter for greater detail, click one of the following: A specific category A specific client IP address 3. Click a specific event to display event details. The following table describes the event details: Name Date Time Rule Category Matched Pattern Description The date of the event. The time when the event occurred. Attack category and sub-category intercepted. See Configuring Patterns and Signatures. The pattern matching the rule that detected the attack. See Adding User-Defined Rules. Applicure 23 of 23

24 Managing Logs Viewing the dotdefender Log Database in the Log Viewer Name Applied Policy IP Address Port Number Destination URL Request Method Site profile Reference ID Description Deny: dotdefender denied this HTTP request. Allow: dotdefender stopped checking the HTTP request, and allowed it to reach the server. Pass: dotdefender skipped this rule and continued inspection using the rest of the rules. The source IP address of the request sender. Port number of the request sender. The URL targeted by the sender. HTTP method, such as GET, POST, HEAD. The security profile of the website. Unique identifier of the event (see Configuring the Error Page). Severity Attack severity level from 0 to 100. HTTP Headers Matching Data Length Details of the HTTP Headers of the HTTP request. The hex dump of the string as it was captured on the wire. The matching substring that triggered the alert is highlighted in yellow Searching for an Event When troubleshooting, you may want to search for a specific event according to the key characteristics of the attack, such as date, Reference ID, or attack category. To search for an event: 1. Click the Search icon in the Log Viewer. The Search window appears. Applicure 24 of 24

25 Managing Logs 2. Set one or more of the search criteria as follows: Select Date, and select the Date range from the drop-down calendars. Select Reference ID, and enter the Reference ID you received on the Error Page (see Configuring the Error Page) In the Advanced options area, select Web Server or Website. From the Attack type drop-down list, select one of the recorded attack types. In the Attack Source IPs area, click to select an IP address from the list of IP addresses that have been logged. 3. Click Search Backing Up the dotdefender Event Database (Windows) To backup the dotdefender Event Database, you can do one or both of the following: Backup dotdefender Event Database Stop the dotdefender Log Service. Copy the file: C:\Program Files\Applicure\dotDefender for IIS\etc\aclogsvc.ddb to a backup location of your choosing. Start the dotdefender Log Service. Applicure 25 of 25

26 Managing Logs Viewing the dotdefender Log Database in the Log Viewer Backup dotdefender Event log from the Windows Event Viewer Open the Windows Event Viewer Right click the Applicure branch Select "Save log file as..." Save in a backup location of your choosing. Note: The dotdefender Log Viewer can only open event databases (*.ddb files). To move the dotdefender log database file 4. Stop the dotdefender Log Service. 5. Copy or move the aclogsvc.ddb log file located in the following folder: \Program Files\Applicure\dotDefender for IIS\etc 6. Start the dotdefender Log Service. 7. The Log Service initializes. If the old event database has been deleted, a new database will be automatically generated Backing Up the dotdefender Event Database (Linux) To backup the dotdefender Event Database, copy the file /usr/local/appcure/log/dotdefender_db.ddb Backup of dotdefender configuration/rules (Linux) There are two methods for dotdefender configuration backup 1. Export security profiles to XML files 2. Backup dotdefender files To export security profiles to XML files 1. Select a security profile. 2. On the right pane, in the Import/Export Security Profile section, click the Export button. Applicure 26 of 26

27 Managing Logs 3. Save the XML file to a backup location. 4. Follow this procedure to each security profile to backup. To backup configuration via file backup Backup the directory /usr/local/appcure/ Backup of dotdefender Configuration/rules (Windows) There are two methods for dotdefender configuration backup: 1. Export security profiles to XML files 2. Backup registry keys and files To backup the dotdefender configuration via registry and file backup: 1. Open the Windows registry 2. Browse to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Applicure 3. Right click the key, select Export and save in a backup location 4. Backup the Applicure directory, typically located in C:\Program Files\Applicure\ To backup security profiles to XML files 1. Select a security profile. Applicure 27 of 27

28 Managing Logs Identifying False Positives 2. On the right pane, in the Import/Export Security Profile section, click the Export button. 3. Save the XML file to a backup location. 4. Follow this procedure to each security profile to backup. 3.5 Identifying False Positives The Website administrator may need to customize dotdefender. As web applications tend to differ in the way they are designed, some web applications activities may appear as attacks and be blocked as a result of dotdefender s default rule settings, even though they originate from valid and legitimate sites. You can use the Reference ID (RID) on the Error Page as a filter in your search in order to find the required request. dotdefender customization enables users to investigate and identify the security problem via the Log Viewer or Event Log. You can then modify the Default Security Profile or Website Security Profiles and create user-defined rules for Patterns, or configure Signatures, see Configuring Patterns and Signatures. Applicure 28 of 28

29 Preventing Information Leakage 4 Preventing Information Leakage This section includes the following sections: Information Leakage Overview Leakage Prevention Best Practice Rules Leakage Prevention Custom Rules 4.1 Information Leakage Overview Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Applications can also leak internal state via how long they take to process certain operations or via different responses to differing inputs, such as displaying the same error text with different error numbers. Web applications will often leak information about their internal state through detailed or debug error messages. Often, this information can be leveraged to launch or even automate more powerful attacks. Applications frequently generate error messages and display them to users. Many times these error messages are quite useful to attackers, as they reveal implementation details or information that is useful in exploiting a vulnerability. There are several common examples of this: Detailed error handling, where inducing an error displays too much information, such as stack traces, failed SQL statements, or other debugging information Functions that produce different results based upon different inputs. For example, supplying the same username but different passwords to a login function should produce the same text for no such user, and bad password. However, many systems produce different error codes OWASP Top 10 - Information Leakage and Improper Error Handling Applicure 29 of 29

30 Preventing Information Leakage Leakage Prevention Best Practices Rules 4.2 Leakage Prevention Best Practices Rules dotdefender offers HTTP outgoing inspection rules as part of the Best-Practices Rule set on the web server protecting against Credit Card Exposure Social Security Number Exposure Application & Database Error suppression 4.3 Leakage Prevention Custom Rules dotdefender allows the administrator to write custom HTTP outgoing inspection rules. Leakage prevention can be obtained in two methods: 1. Adding custom (User-Defined) rules to block responses such as error messages from the application - These rules are written in a similar manner as the incoming traffic rules (See Adding User-Defined rules for responses) 2. Adding Server Masking rules to hide server response headers or change their values for each server response, for example: The Server header can be modified from Apache to IIS. For more information, see Server Masking. Applicure 30 of 30

31 5 Configuring Website Security Profiles This chapter contains the following sections: Website Security Profiles Overview Modifying a Website Security Profile Server Masking Upload Folders Protection 5.1 Website Security Profiles Overview Applicure has created best practice rules to detect possible web attacks. These are defined in the Default Security Profile. Initially, all websites use the Default Security Profile (DSP) settings. Any changes to the Default Security Profile (DSP) are propagated to all Website Security Profiles that are configured to use the Default Security Profile (DSP). This is indicated by the (Use Default) following the Website Security Profile. Always start by using the Default Security Profile. Nonetheless, you may decide to configure a Website Security Profile for a specific website. When you select a Website Security Profile and choose either the Protection, Monitoring or Disabled mode, it no longer uses the Default Security Profile. This mode is indicated in ( ) after the Website Security Profile name. Once you have selected an operating mode other than Use Default Security Profile, you can modify the Website Security Profile by: Importing an application rule set template Exporting an application rule set template Configuring Session Protection settings Applicure 31 of 31

32 Configuring Website Security Profiles Modifying a Website Security Profile Specifying the error page Modifying the advanced settings Changing the Best Practices rule settings. Adding new user-defined rules. 5.2 Modifying a Website Security Profile You can modify the Default Security Profile or any of the Website Security profiles. To modify a Profile: 1. In the left pane of the Administration Console, select the required Profile. The right pane displays the Profile settings. 2. (Optional) In the Description field, enter a description of the Profile. 3. (Optional) You can make changes in any of the following sections: Operating Mode Session Protection Import/Export Security Profile Error Page Advanced Settings Applicure 32 of 32

33 Configuring Website Security Profiles Configuring Operating Mode You can modify how dotdefender protects your site, monitors attacks, and writes logs. To modify the Operating Mode: 1. Expand Operating Mode. The Operating Mode section opens. 2. Select one of the following operating modes: Use Default Security Profile: This option can be used to apply the Default Security Profile to the Website Security Profile. If the Default Security Profile is in Protection operating mode, this mode blocks and sends an error message to the attack source when an attack is detected. The event is automatically recorded in the Log. Protection: This option applies a default template to the specified site. Rules can be applied specifically to this site and the Default Security Profile rules are not applied. This mode blocks and sends an error message to the attack source when an attack is detected. The event is automatically recorded in the Log. Monitoring: This option applies a default template to the specified site without providing protection while monitoring only. Rules can be applied specifically to this site and the Default Security Profile rules are not applied. This option can be used to monitor and write events in the Log, without providing protection: it does not block attacks. Disabled: This option disables dotdefender so that it does not monitor or write events in the Log for this Profile. If this option is selected for the Default Security Profile, all Website Security Profiles using the Default Security Profile will not be protected by dotdefender Configuring Session Protection dotdefender implements a Session Protection mechanism that prevents an attacker from sending a large number of HTTP requests in a short period of time. When an attack attempt is detected, dotdefender bans the IP addresses for a preconfigured interval. Note: It is recommended to leave the default Session Protection parameters as defined by Applicure. If necessary, make specific minor (narrow) adjustments. Applicure 33 of 33

34 Configuring Website Security Profiles Modifying a Website Security Profile To configure Session Protection: 1. Expand Session Protection. The Session Protection section appears. 2. In the right pane, edit one or more parameters, as follows: Enable Session Protection: Enables the Session Protection feature. Max. Requests per seconds: Defines the maximum allowed number of HTTP requests sent from the same IP address to your web server, per specified number of seconds. A user sending requests at a higher rate is blocked. Blocking interval: Sets the time period dotdefender blocks access from the suspected attacker s IP address, counting from the latest request. Write to Log: Allows session protection events to be written to the Log Viewer. 3. Click to apply the changes. Applicure 34 of 34

35 Configuring Website Security Profiles Import/Export security profile Security Profiles settings and rule sets are stored in an XML file. Application rule sets for known applications and content management systems (CMS) can be imported from a prepared template provided by Applicure. To download templates, go to Security Profiles can be transferred from one profile to another by exporting and importing. It does not matter if the Security Profiles are located on the same server or on different servers running on different platforms. To export an Application Rule Set: 1. Expand the Import/Export security profile section 2. Click on the Export button 3. Save the XML file To import an Application Rule Set: 1. Expand the Import/Export security profile section 2. Click on the Import button 3. Browse to an XML file containing a security profile rule set 4. Click to apply the changes Note: All old configuration settings will be removed and the new XML settings will apply. Applicure 35 of 35

36 Configuring Website Security Profiles Modifying a Website Security Profile Configuring the Error Page You can modify the Error Page settings to determine the page that is displayed as well as the address to which valid users report when their requests are blocked. To view the resultant error page, the following request can be sent to the server and should be blocked when security profile is set to Protection: (Where is the URL to one of the websites on the server) You can add the following variables to the body of a custom page: %MAILTO_BLOCK% - entered in the address for blocked request report field. Adding this variable creates an active link to send an to the Website Administrator. The includes the Reference ID, Client IP address and Date. On Linux/Unix platforms, this variable is named % % and must be closed with brackets, like so <% %> %RID% - Reference ID. On Linux/Unix platforms, this variable must be closed with brackets, like so <%RID%> %IP% - Client IP address. On Linux/Unix platforms, this variable must be closed with brackets, like so <%IP%> %DATE_TIME% - Date of blocked request. On Linux/Unix platforms, this variable must be closed with brackets, like so <%DATE_TIME%> To modify the Error Page: 1. Expand the Error Page section. Applicure 36 of 36

37 Configuring Website Security Profiles 2. Select one of the following: Default: This option uses the default Error Page. Custom: This option enables you to enter the path to an error page file, to be displayed by dotdefender in the attacker s browser. For example: IIS: C:\Inetpub\wwwroot\custom_deny.html Apache: /var/www/custom_deny.html Redirect to URL: This option instructs dotdefender to redirect a user to a full URL path (for example, a web page). In this case, no error page is displayed. For Example: (Optional) Click URL Preview to view the page. 3. (Optional) Enter an address in the address for blocked request report to create an active link to send an to the Website Administrator. Note: The %MAILTO_BLOCK% variable (Or <% %> for Linux/Unix) should be added manually to the body of a custom error page. 4. (Optional) Configure the HTTP status code returned to the client when a request has been denied by setting a status code number at the right-hand side of the Return Error Code: field according to the expected application behavior. Some examples for such status codes include: 200, 302, 400, 404 and 500. This is useful when using automatic Vulnerability Assessment software that expects a pre-defined status code in order to differentiate between successful and unsuccessful vulnerability detection Configuring Advanced Settings You can modify the Advanced Settings for various options, such as writing to the log, checking URL encoding, and managing large requests. To modify the Advanced Settings: 1. Expand the Advanced Settings. Applicure 37 of 37

38 Configuring Website Security Profiles Modifying a Website Security Profile 2. Select one or more of the following options: Write to Log: dotdefender writes the attack events to the dotdefender database. Don t Log Parameters (Required by PCI compliance): dotdefender will not log parameter strings. Instead, what will be visible in the event s details are only the detected attack patterns. Check URL Encoding: dotdefender checks that the URL is RFC compliant. Force Byte Range from (minimum value) to (maximum value): dotdefender limits the range of byte values that it will pass. Block Cookie Tampering: dotdefender blocks tampering by cookies. It checks that the cookie was not changed from the time it was issued to the user to the time the user returns the cookie with the next request. Don t Check Invalid Requests: This option instructs dotdefender to ignore invalid HTTP requests, such as non-standard headers, BOT files, HTTP requests originating from Proxy Servers, or syntax missing in the structure. 3. In the Request Size area, enter the maximum permitted request size (in KB) in the Maximum Request Size field. By default, a value higher than the maximum size results in blockage of traffic to the web server. 4. In the Request Size area, select one of the following options: Applicure 38 of 38

39 Configuring Website Security Profiles Pass Large Requests to Web Applications: dotdefender allows HTTP requests that are larger than the maximum request size. Check Beginning of Large Requests Only: dotdefender only checks the beginning of large HTTP requests (that are larger than the maximum request size). Block Large Requests: dotdefender blocks HTTP requests that are larger than the maximum request size (default). 5. In the Response area, select the Check Responses option to apply egress (Outgoing) traffic inspection and filtering. Once this option is selected, all HTTP response rules will be applied. 6. Click to apply the changes. The following pop-up message appears. 7. Click OK. 5.3 Server Masking The server masking function allows you to conceal sensitive infrastructure fingerprint information. This is achieved using HTTP response header removal, replacement or addition. Examples: Masking Server header - In order to mask an IIS 6.0 web server, perform the following: 1. Expand a security profile 2. Select Server Masking Applicure 39 of 39

40 Configuring Website Security Profiles Server Masking 3. In the right pane, click the Add New Rule button 4. In the Header Name field, type: Server 5. In the Filter Type, select Replace 6. In the Header Value, type: Apache Click OK. The new rule appears in the Server Masking Rules list. 8. Click to apply the changes. The following pop-up message appears. 9. Click OK. Applicure 40 of 40

41 Configuring Website Security Profiles Removing X-Powered-by header - In order to remove the X-Powered-by header, perform the following: 1. Expand a security profile 2. Select Server Masking 3. In the right pane, click the Add New Rule button 4. In the Header Value, type: X-Powered-by 5. In the Filter Type, select Remove 6. Click OK. The new rule appears in the Server Masking Rules list. 7. Click to apply the changes. The following pop-up message appears. Applicure 41 of 41

42 Configuring Website Security Profiles Upload Folders Protection 8. Click Close. 5.4 Upload Folders Protection In order to validate uploaded file types and content, use Upload Folder Protection to define fine-grained rules to define allowed/disallowed file extensions, MIME types and content patterns. This mechanism allows protection against malicious file uploads using such public interfaces as image and content management systems. Unvalidated file uploads often lead to complete server compromise using web-shell backdoors masquerading as innocent picture/document files. To create a custom rule to validate uploaded file types and content 1. Expand a security profile 2. Select Upload Folders 3. In the right pane, click the Add New Rule button Applicure 42 of 42

43 Configuring Website Security Profiles 4. In the Upload URI field, type the URI of the upload page. For example: /Content_Upload/upload_form.asp 5. Select Filename should match the following extensions (comma separated) and type the extensions which should be allowed for upload. For example: png,jpg,gif Applicure 43 of 43

44 Configuring Website Security Profiles Upload Folders Protection 6. To create a list of extensions that should not be allowed to be uploaded, select Allow every extension except specified above and follow paragraph 5 above while typing file extensions which should not be allowed. 7. Select Validate Content Type to validate content type of the file and ensure that a malicious script is not attempted to be uploaded using a false extension. 8. (Optional) Select Filename should not match the following expression to block specific filenames. Type a pattern representing the names of files to be blocked. 9. (Optional) Select Content should not match the following expression to block specific patterns in the content of the files. Type a string representing the content to be blocked. 10. Click OK 11. The new rule appears in the Upload Folders Rules list. 12. Click to apply the changes. The following pop-up message appears. Applicure 44 of 44

45 Configuring Website Security Profiles 13. Click Close. Applicure 45 of 45

46

47 6 Configuring Patterns and Signatures Web application hacking attempts are classified by distinct patterns or signatures. This chapter contains the following sections: Patterns and Signatures Overview Rule Categories Enabling/Disabling a Rule Category Configuring Patterns Managing Signatures 6.1 Patterns and Signatures Overview When blocking attacks, dotdefender tries to identify threats based on pattern-matching rules and behavior signatures. The Default Security Profile and Website Security Profiles include: Patterns: Rule Categories that include: User-defined rules: Custom rules for this rule category. Best practices: A predefined set of best practice sub-categories (rules) defined by Applicure. Signatures: Predefined signature categories. To modify the behavior of dotdefender, for example, to allow false positives, you can do one of the following: Define a Whitelist rule. See Configuring Patterns. Disable/enable a rule category. See Enabling/Disabling a Rule Category. Create a user-defined category rule. See Configuring Patterns. Disable/enable a Best Practice category (rule). See Configuring Patterns. Applicure 47 of 47

48 Configuring Patterns and Signatures Patterns and Signatures Overview Enable/disable a signature category. See Managing Signatures. dotdefender Log Viewer displays the category/sub-category of the attack, as well as the substring that caused the alert to be triggered. An example of an attack is displayed in the Event Details window. The fields displayed include: Date Time Category of attack Sub-category of attack IP address of attacker Reference ID The hex dump of the string as it was captured on the wire. The matching substring that triggered the alert is highlighted in yellow. In the example above: Applicure 48 of 48

49 Configuring Patterns and Signatures The Category of the attack is Windows Directories and Files. The Sub-category is FrontPage Extension. The IP Address is The Reference ID is d c4-91ee. The substring is _vti_pvt. 6.2 Rule Categories The dotdefender software has the following predefined rule categories: Pattern Whitelist (Permitted Access List) Description A Whitelist enables you to approve or deny specific users, pages, or actions that are not checked by default by dotdefender. dotdefender users can configure, for example, rules to block access to server applications or, conversely, allow absolute access so they are not checked. dotdefender users can also define certain application web pages or directories not to be checked at all. Whitelist rules are evaluated before all other dotdefender protection rules and signatures. Paranoid A collection of rules that provides a more restrictive level of security, but may interfere with web application usability. You can use this category to tighten security for sensitive applications or functionalities (for example, login or credit card details. Encoding Encoding is a method of representing characters in different ways for use in computer systems. ASCII (American Standard Code for Information Interchange), and UTF (Unicode Transformation Format) are examples of encoding, where the same text is encoded in various ways, so that a web server can interpret it. An Encoding attack harms the application by implementing obfuscation to ensure that suspect packets are camouflaged by, for example, UTF or HEX (Hexadecimal) encoding. This results in a disguised injection of malicious phrases in URLs, parameters or metadata. Buffer Overflow When an application sends more data to a buffer than the buffer is designed to hold, the overflow can cause a system crash or create a vulnerability that enables unauthorized system access. Applicure 49 of 49

50 Configuring Patterns and Signatures Rule Categories Pattern SQL Injection Description An SQL injection is an attack method that targets the database via a web application. This method exploits the application by injecting malicious queries, causing the manipulation of data. SQL injection aims at penetrating back-end database(s) to manipulate data, thus stealing or modifying information in the database. Cross-Site Scripting Scripts comprise of a set of programming language instructions executed by another program (such as a browser). Scripting is used to create dynamic pages in web applications. Cross-site scripting is a client-side attack method that occurs when an attacker uses a web-based application to send malicious code to another user who uses the same application. This attack is most common in dynamically-generated application pages, where embedded application forms are built. This attack is automatically executed when the client s browser opens an HTML web page. As a result of cross-site scripting, a user s browser mistakenly identifies the script as having originated from a trusted source. As a result, the maliciously injected code can access cookies, session tokens, or any other sensitive information. There are two categories of cross-site scripting: Stored attacks: These occur when the injected malicious code is stored on a target server such as a bulletin board, a visitor log, or a comment field. The victim retrieves and executes the malicious code from the server, when interacting with the target server. Reflected attacks: These occur when the user is tricked into clicking a malicious link, or submitting a manipulated form (crafted by the attacker). The injected code travels to the vulnerable web server which reflects the cross-site attack back to the user s browser. The browser then executes the malicious code, assuming it comes from a trusted server. Cookie Manipulation Cookies are commonly used to store user and session identification information that serves as a means of authenticating users to the application. Cookie Manipulation refers to various methods of manipulation of cookie content. Using cookies, an attacker can obtain unauthorized access to the web server. CLRF Injection (Carriage Return/Line Feed) is an example of Cookie Manipulation. Applicure 50 of 50

51 Configuring Patterns and Signatures Pattern Path Transversal Description A URL is a web address translated into a path on the web server. A URL leads to specific directories and files residing on the web server. Path traversal is an attack mechanism that changes the original path to the path desired by an attacker, in order to gain access to internal libraries and folders. Path traversal gains access to an organization s server files and directories that are otherwise inaccessible to external users. Path Traversing is implemented with common OS operations, such as using the characters /../../../.. for traversing between server directories and files. Probing Remote Command Execution Windows Directories and Files XML Schema Probing is an attack aim at collecting information about a web server and applications, based on common practices and educated guesses. Attackers send probes looking for common weaknesses and third-party software that has known vulnerabilities. This information can be used to breach the server. A type of injection, similar to SQL Injection, except that it injects OS Shell commands into the Shell. Windows directories and files are default components created during the installation of IIS and related applications, such as FrontPage, IIS sample page, and more. These default components contain known weaknesses, which an attacker may use to breach the server. XML Schema is a document that describes, in a formal way, the syntax elements and parameters of predefined XML structures and files. It is used in web services and XML-based applications. Since the XML Schema describes all of the available service functions, hackers may use this information to discover vulnerabilities in the application. XPath Injection XPath Cross-Site Scripting XPath is a language used to access parts of an XML document. Hackers may insert malicious code into XML parameters to gain access to the web server, or retrieve information from the database, much like SQL Injection. Inserts cross-site scripting attacks into sections of XML. For further information, see Cross-site Scripting. Applicure 51 of 51

52 Configuring Patterns and Signatures Enabling/Disabling a Rule Category These descriptions can also be viewed online in dotdefender. To view an explanation of a pattern category: 1. In the left pane of the Administration Console, expand the Default Security Profile (Protection), and then expand Patterns. 2. Select a pattern category. The description of the category is shown in the right pane. 6.3 Enabling/Disabling a Rule Category You can enable or disable a rule category. To enable/disable a rule category: 1. In the left pane of the Administration Console, select the required profile. 2. Expand Patterns. 3. Right-click on the rule category and select Disable/Enable. The rule category is enabled or disabled, accordingly. 4. Click to apply the changes. 6.4 Configuring Patterns To configure a pattern category: 1. In the left pane of the Administration Console, select the required Profile. 2. Expand Patterns. Applicure 52 of 52

53 Configuring Patterns and Signatures 3. Expand the required pattern category. 4. Select one of the following: Modifying Best Practices Adding User-Defined Rules Modifying Best Practices dotdefender supplies a series of best practice rules to block attacks. You can modify the rule properties or enable/disable the rule. To modify Best Practices sub-categories: 1. Select Best Practices. The sub-categories appear in the right pane. 2. (Optional) Click / to enable/disable the sub-category (rule). Note: It is recommended to define a URI in the Rule Properties dialog box and select the Apply this rule to all URIs except specified above checkbox rather than disable a rule. 3. Select a sub-category (rule) and click. The Rule Properties window appears. Applicure 53 of 53

54 Configuring Patterns and Signatures Configuring Patterns 4. In the URI field, enter a specific URI under which you want to apply or exclude a rule. By default, rules are applied to all URIs (all web pages). To apply the rule to all URIs except the one you specified ( Exclude ), select Apply this rule to all URIs except specified above. 5. From the Action drop-down list, select one of the following: Deny: Denies the request when the pattern is matched. Allow: Quits scanning the request at this sub-category after the pattern is matched. (Not recommended for Best Practice rules) Monitor Only: Monitors this sub-category when a pattern is matched. 6. From the Log Options drop-down list, select one of the following: Log No Log 7. In the Severity field, the severity can be modified to any value from 0 to 100, where 100 is the highest severity. The value of the severity is used in the Central Management reporting feature, which enables the filtering of events by their severity. 8. In the Tarpit field, choose the required response latency by defining a value in milliseconds next to Tarpit. This option enables delaying rapid attacks, offloading the web server. 9. Click OK. The changes to. 10. Click to apply the changes. The following window appears. Applicure 54 of 54

55 Configuring Patterns and Signatures 11. Click Close Adding User-Defined Rules for incoming requests You can create new rules for dotdefender by using regular expressions to match a pattern that is to be blocked, allowed or monitored. The following instructions explain how to create a rule to block, allow, or monitor incoming HTTP requests to the server. (Optional: Identify the pattern using the sub-string identified in the log. For further information, see Managing Logs.) To add a new rule: 12. Click User Defined Request rules in any category. The User-Defined Rules list appears in the right pane. Applicure 55 of 55

56 Configuring Patterns and Signatures Configuring Patterns 13. Click Add New Rule. The New Rule wizard appears. 14. Type a description for the rule. Click Next. 15. To determine where in the HTTP request dotdefender searches for the custom pattern, select one of the following options: Applicure 56 of 56

57 Configuring Patterns and Signatures Searching in Commonly Attacked Fields of HTTP Requests - Click Next to continue. The Create pattern window appears. Continue with Searching in Commonly Attacked Fields of HTTP Requests. Searching in Client Remote Address Search for pattern in the client s IP address field. Click Next to continue. The Create pattern window appears. Searching in URI - Search for pattern in the URI of the request. Click Next to continue. The Scope of search window appears. Searching in User-Agent header Search for pattern in the User-Agent client software identifier field. Click Next to continue. The Create pattern window appears. Searching in Custom Fields of HTTP Requests - Click Next to continue. The Custom Fields window appears. Continue with Searching in Client Remote Address Searching in custom parameters of XML/SOAP - Click Next to continue. The Custom Fields window appears. Continue with Searching in Custom Parameters of XML/SOAP Searching in Client Remote Address You can specify a pattern to search for in Client Remote Address. To search in Client Remote Address: 1. In the Create pattern window, in the Pattern to Search field, enter a regular expression for which dotdefender looks in the HTTP request. For further information, see Regular Expressions. Applicure 57 of 57

58 Configuring Patterns and Signatures Configuring Patterns 2. From the Take action drop-down list, select one of the following: Block request: dotdefender blocks requests containing the pattern. Allow request (Whitelist): dotdefender allows requests containing the pattern. Monitor: dotdefender only logs HTTP requests containing the pattern. Skip Category: dotdefender excludes rules in this category for requests containing the pattern. 3. (Optional) Select the Write to Log checkbox if you want the events matching the rule to be logged. Applicure 58 of 58

59 Configuring Patterns and Signatures 4. Click Next to continue. The Scope of Search window appears. 5. Select one of the following: Apply to all pages: dotdefender applies the search to all HTTP pages. Apply to specific URI: dotdefender applies the search to a specific URI. Enter the URI field. Apply to all pages except this URI: dotdefender applies the search to all HTTP pages, excluding the specified URI. Applicure 59 of 59

60 Configuring Patterns and Signatures Configuring Patterns 6. Click Next. The Completing the New Rule Wizard window appears. 7. Review the summary of the new rule. Click Finish. The new rule appears in the list of User-Defined Rules. 8. Click to apply the changes. The following window appears. Applicure 60 of 60

61 Configuring Patterns and Signatures 9. Click Close Searching in URI You can specify a URI for which an action will be applied. To search in URI: 1. Select one of the following: Apply to all pages: dotdefender applies the search to all HTTP pages. Apply to specific URI: dotdefender applies the search to a specific URI. Enter the URI field. Apply to all pages except this URI: dotdefender applies the search to all HTTP pages, excluding the specified URI. 2. From the Take action drop-down list, select one of the following: Block request: dotdefender stops requests including this URI. Allow request (Whitelist): dotdefender allows requests including this URI. Monitor: dotdefender only logs HTTP requests including this URI. Skip Category: dotdefender excludes rules in this category for requests containing this URI. 3. (Optional) Select the Write to Log checkbox if you want the events matching the rule to be logged. Applicure 61 of 61

62 Configuring Patterns and Signatures Configuring Patterns 4. Click Next. The Completing the New Rule Wizard window appears. 5. Review the summary of the new rule. Click Finish. The new rule appears in the list of User-Defined Rules. 6. Click to apply the changes. The following window appears. Applicure 62 of 62

63 Configuring Patterns and Signatures 7. Click Close Searching in User-Agent header You can specify a pattern to search for in User-Agent client software identifier field. To search in User-Agent header: 1. In the Create pattern window, in the Pattern to Search field, enter a regular expression for which dotdefender looks in the HTTP request. For further information, see Regular Expressions. 2. From the Take action drop-down list, select one of the following: Block request: dotdefender stops requests containing the pattern. Allow request (Whitelist): dotdefender allows requests containing the pattern. Monitor: dotdefender only logs HTTP requests containing the pattern. Skip Category: dotdefender excludes rules in this category for requests containing the pattern. 3. (Optional) Select the Write to Log checkbox if you want the events matching the rule to be logged. Applicure 63 of 63

64 Configuring Patterns and Signatures Configuring Patterns 4. Click Next to continue. The Scope of Search window appears. 5. Select one of the following: Apply to all pages: dotdefender applies the search to all HTTP pages. Apply to specific URI: dotdefender applies the search to a specific URI. Enter the URI field. Apply to all pages except this URI: dotdefender applies the search to all HTTP pages, excluding the specified URI. Applicure 64 of 64

65 Configuring Patterns and Signatures 6. Click Next. The Completing the New Rule Wizard window appears. 7. Review the summary of the new rule. Click Finish. The new rule appears in the list of User-Defined Rules. 8. Click to apply the changes. The following window appears. 9. Click Close. Applicure 65 of 65

66 Configuring Patterns and Signatures Configuring Patterns Searching in Commonly Attacked Fields of HTTP Requests You can specify a pattern to search for in commonly attacked fields of HTTP requests. To search in commonly attacked fields: 1. In the Create pattern window, in the Pattern to Search field, enter a regular expression for which dotdefender looks in the HTTP request. For further information, see Regular Expressions. 2. From the Take action drop-down list, select one of the following: Block request: dotdefender stops requests containing the pattern. Allow request (Whitelist): dotdefender allows requests containing the pattern. Monitor: dotdefender only logs HTTP requests containing the pattern. Skip Category: dotdefender excludes rules in this category for requests containing the pattern. 3. (Optional) Select the Write to Log checkbox if you want the events matching the rule to be logged. Applicure 66 of 66

67 Configuring Patterns and Signatures 4. Click Next to continue. The Scope of Search window appears. 5. Select one of the following: Apply to all pages: dotdefender applies the search to all HTTP pages. Apply to specific URI: dotdefender applies the search to a specific URI. Enter the URI field. Apply to all pages except this URI: dotdefender applies the search to all HTTP pages, excluding the specified URI. Applicure 67 of 67

68 Configuring Patterns and Signatures Configuring Patterns 6. Click Next. The Completing the New Rule Wizard window appears. 7. Review the summary of the new rule. Click Finish. The new rule appears in the list of User-Defined Rules. 8. Click to apply the changes. The following window appears. 9. Click Close. Applicure 68 of 68

69 Configuring Patterns and Signatures Searching in Custom Parameters of XML/SOAP Elements Simple Object Access Protocol (SOAP) is a protocol for communication between applications and a format for sending messages via the Internet. SOAP is based on XML; it is platform and language independent, and it is a W3C recommendation. A schema serves as a map of an XML structure. dotdefender recognizes two types of schemas:.xsd (commonly used for XML file structure maps) and.wsdl (used as an interface menu for Web Services) To search in custom parameters of XML/SOAP elements: 1. In the XML Parameters window, do one of the following: Select Element from schema and set the schema properties as follows: a) Click Import to add a referable schema. b) Select a.wsdl or.xsd file and click Open. The file is added to the Schema area. c) Select the Service from the drop-down list. d) Select the Method from the drop-down list. e) Select the Element. Select XPath and enter the location of the pattern to be searched. This is an alternative to pointing out the location in the schema. Note: When this option is selected, all Element from Schema fields are disabled. Applicure 69 of 69

70 Configuring Patterns and Signatures Configuring Patterns 2. Click Next to continue. The Create pattern window appears. 3. In the Pattern to search field, enter a regular expression representing a value to be blocked/allowed for the location selected in the Adding New Rule Completing the New Rule Wizard window. For example, if REMOTE_ADDRESS has been selected, a regular expression representing the IP address to block or allow should be typed here. 4. Enter a regular expression for which dotdefender looks in the HTTP request. For further information, see Regular Expressions. 5. From the Take action drop-down list, select the action to be taken when a pattern is matched: Block request: dotdefender blocks HTTP requests containing the pattern. Allow request (Whitelist): dotdefender allows requests containing the pattern. Monitor: dotdefender only logs HTTP requests containing the pattern. Skip Category: dotdefender excludes rules in this category for requests containing the pattern. 6. (Optional) Select Write to Log so that HTTP requests containing the pattern appear as Log events. Applicure 70 of 70

71 Configuring Patterns and Signatures 7. Click Next. The Scope of Search window appears. 8. Select one of the following: Apply to all pages: dotdefender applies the search to all HTTP pages. Apply to specific URI: dotdefender applies the search to a specific URI. Enter the URI field. Apply to all pages except this URI: dotdefender applies the search to all HTTP pages, excluding the specified URI. Applicure 71 of 71

72 Configuring Patterns and Signatures Configuring Patterns 9. Click Next. The Completing the New Rule Wizard window appears. Review the summary of the new rule. Click Finish. 10. Click to apply the changes. The following window appears. 11. Click Close. Applicure 72 of 72

73 Configuring Patterns and Signatures Adding User-Defined Rules for responses You can create new rules for dotdefender by using regular expressions to match a pattern that is to be blocked, allowed or monitored. The following instructions explain how to create a rule to block, allow, or monitor outgoing responses from the server. To add a new rule: 1. Click User Defined Response Rules in any category. The User-Defined Reponse Rules list appears in the right pane. Applicure 73 of 73

74 Configuring Patterns and Signatures Configuring Patterns 2. Click Add New Rule. The New Rule wizard appears. 3. Type a description for the rule. Click Next. 4. In the Pattern to search field, enter a regular expression representing a value to be blocked or allowed in the response. Click Next. Applicure 74 of 74

75 Configuring Patterns and Signatures 5. The Completing the New Rule Wizard window appears. Review the summary of the new rule. Click Finish. 6. The new rule appears in the list of User-Defined Rules. 7. Click to apply the changes. The following window appears. Applicure 75 of 75

76 Configuring Patterns and Signatures Configuring Patterns 8. Click Close Managing the Rules This section includes: Viewing the User-Defined Rules Enabling/Disabling a User-Defined Rule Deleting a User-Defined Rule Editing a User-Defined Rule Viewing the User-Defined Rules The User-Defined Rules appear in the right pane of the Administration Console. An example of three new Rule Types is shown below: Standard: Created when the Search in commonly attacked fields of HTTP requests option is selected. Custom: Created when the Search in custom fields of HTTP requests option is selected. XML: Created when the Search in custom parameters of XML/SOAP elements option is selected. Applicure 76 of 76

77 Configuring Patterns and Signatures Enabling/Disabling a User-Defined Rule You can enable or disable a User-Defined Rule. Note: By default, every new rule defined is enabled (checkbox is selected). To enable/disable a User-Defined Rule: 1. Click / to select/deselect a User-Defined Rule. 2. Click for the changes to take effect. The following window appears. 3. Click Close Deleting a User-Defined Rule 1. Click to delete a User-Defined Rule. The following window appears. 2. Click Yes. 3. Click for the changes to take effect. The following window appears. Applicure 77 of 77

78 Configuring Patterns and Signatures Configuring Patterns 4. Click OK Editing a User-Defined Rule This enables you to add additional fixed and dynamic locations and define Tarpit response latency. To edit a User-Defined Rule: Click next to the User-Defined Rule. The Rule Properties window appears. The example above demonstrates how to deny any IP address, excluding , from accessing a sensitive web page. For additional information, see Adding User-Defined Rules. Choose the required response latency by defining a value in milliseconds next to Tarpit. This option enables delaying rapid attacks, offloading the web server. Applicure 78 of 78

79 Configuring Patterns and Signatures The example above demonstrates how to slow down automatic spam bots from overloading a web form. In the case that the bot is identified via the User-Agent header, it is denied access, while the response arrives 10 seconds (10,000 milliseconds) after the request has been received at the server side. Select the required Filter Type from the list below: Recommended Locations Commonly attacked locations Remote Address (IP) The IP address of the connecting user URI - The relative application URL address including parameters User Agent The client software identifier string Custom Locations Locations specified in the Edit Locations menu To edit and/or add specific locations, click Edit Locations. The Locations window appears, enabling you to add multiple locations. Note: This option is available only when Custom Locations is selected. Applicure 79 of 79

80 Configuring Patterns and Signatures Configuring Patterns The Fixed Locations pre-defined fields are parsed for HTTP incoming requests. In the Fixed Locations area, select one of the following: Field REMOTE_ADDRESS REMOTE_HOST REMOTE_USER REQUEST_METHOD PATH_INFO AUTEXTYPE SERVER_NAME SERVER_SOFTWARE FIRST_REQUEST_LINE REQUEST_URI Description IP address of the connecting user Host of the connecting user Authenticated username on IIS HTTP request method. For example: GET, POST The relative application URL address without parameters. For example: /registration/forms/register.asp HTTP authentication type. For example: Basic Authentication Host name as appears in the HOST header. For example: Version of the IIS server The first line of the full HTTP request, as received by IIS The relative application URL address including parameters. For example: /registration/forms/register.asp?form=reg Applicure 80 of 80

81 Configuring Patterns and Signatures Field PARAMETERS PARAMETERS_VALUES XML_VALUES Description The string containing the parameter names and values Parameter values only XML values only Click Add. The fixed location is added. Repeat this step to add more fixed locations. The Dynamic Locations are environment variables. In the Dynamic Locations field, select one of the following: Field ENV HEADER PARAMETER COOKIE XML Description OS environment variable, such as Path, Computer Name, Home Directory, Current User, Windows Directory HTTP Header Name GET or POST parameter name Name of cookie One of the XML parameters Enter the required dynamic location information. Click Add. The dynamic location is added. Repeat steps 6 and 7 to add more dynamic locations. Click Close. The Rule Properties window appears. Click OK. Click to apply the changes. 6.5 Managing Signatures You can enable or disable a Signature category. Rules are not created for Signatures. The Signatures that dotdefender inspects include the following: Comprised/Hacked Servers Anti-Proxy Protection Known-Worms Signatures Applicure 81 of 81

82 Configuring Global Settings (Windows) Enabling / Disabling logging to Windows Event Logs Bad User-Agents Signatures Known Spammer Crawlers MPack Protection To view an explanation of a signature category: 1. In the left pane of the Administration Console, expand the required profile. 2. Expand Signatures. 3. Select a Signature category. The description appears in the right pane. To enable/disable a signature category: 1. In the left pane of the Administration Console, select the required Profile. 2. Expand Signatures. 3. Right-click on the signature category and select Disable/Enable. The signature category is either enabled or disabled. 7 Configuring Global Settings This chapter explains the server wide settings available in dotdefender This chapter contains the following sections: (Windows)Enabling/Disabling logging to Windows Event Logs Enabling/Disabling NAT support Updates Applicure 82 of 82

83 Configuring Global Settings 7.1 (Windows) Enabling / Disabling logging to Windows Event Logs To enable the global logging across websites: 1. In the left pane of the Administration Console, select Global Settings. The right pane opens the Global Settings area. 2. Select the Write to Local Event Log option to enable the logging globally. 3. Click to apply the changes. 7.2 Enabling / Disabling NAT Support The NAT support feature allows dotdefender to properly identify client IP addresses while working behind a NAT device such as: load balancer, proxy, and firewall. Using the X-Forwarded-For HTTP header, the frontend device communicates the original client address as seen within the request. To enable NAT support: 1. In the left pane of the Administration Console, select Global Settings. The right pane opens the Global Settings area. 2. Select the Follow X-Forwarded-For headers behind a NAT device option to enable global identification of all remote client addresses behind NAT. 3. Click to apply the changes. Applicure 83 of 83

84 Configuring Global Settings Updates 7.3 Updates To enable automatic update checking, select the Check for updates checkbox. To enable automatic update installation, select the Update is silent checkbox. Applicure 84 of 84

85 8 FAQs and Troubleshooting This chapter contains the following sections: FAQs (Frequently Asked Questions) Troubleshooting 8.1 FAQs The following list includes some of the questions that are frequently addressed to technical support: How do I allow an IP address, or a range of IP addresses? How do I identify and control access to the Website, according to Windows users (using the Remote User field)? How do I enable updates to work through a firewall? How do I change the database size limit (Windows)? How do I change the database size limit (Linux)? What is a bad User-Agent and why is dotdefender blocking some browsers for it? How do I let one "good" User-Agent pass through? How do I remove the database when it is taking up too much space? What is a Proxy attack? How do I turn a False Positive into a Whitelist Rule? Does a user-defined rule still undergo inspection? How do I back up the rule set (Windows)? What should I backup for upgrade (Linux)? How do I clear the Event Log? I have scripts on a website that are blocked for usage by end-users. How do I allow the scripts to run? Applicure 85 of 85

86 FAQs and Troubleshooting FAQs After I installed dotdefender, I keep getting blocked at a content upload page, and I cannot upload new content How do I allow an IP address, or a range of IP addresses? To allow an IP address or a range of IP addresses, add a User-Defined Rule. For further information on the regular expressions, see Regular Expressions. Note: This IP address or range of IP addresses will be white-listed for all rules. 4. Click the Configuration tab on the right pane. 5. Expand the required Profile. 6. Expand Patterns. 7. Expand Whitelist. 8. Click User Defined. 9. In the right pane, click Add New Rule. 10. In the Rule Description window, enter a description for the rule and click Next. 11. In the Rule Type Selection window, select Search in HTTP requests and click Next. 12. In the Rule Type window, select Search in client remote address and click Next. 13. To white-list one IP address, in the Create Pattern window, enter the IP address beginning with the caret sign and ending with the dollar sign and add backslashes before each dot (since this is a regular expression field). For example, to white-list the IP , enter: ^192\.168\.200\.100$ 14. To white-list a range of IP addresses, in the Create Pattern window, enter a regular expression representing the range. For example, to white-list the range , enter: ^10\.20\.((5[4-9]) (6[0-8]))\.(([0-9]) ([1-9][0-9]) (1[0-9][0-9]) (2[0-4][0-9]) (25[0-5]))$ 15. In the same window, in the Take Action field, select white-list and choose whether to log all events for the IP or not. 16. Click Next. Applicure 86 of 86

87 FAQs and Troubleshooting 17. In the Scope of Search window, click Next and then click Finish. 18. Click for the settings to take effect. The following window appears. 19. Click OK How do I identify and control access to the Website, according to Windows users (using the Remote User field)? 20. Create a new rule (see Adding User-Defined Rules). 21. From the Standard HTTP request fields drop-down list, select Match with Remote user name. 22. Click Next. The Create pattern window appears. Applicure 87 of 87

88 FAQs and Troubleshooting FAQs 23. In the Pattern to search field, enter the name of the Windows user who should have access to the site. 24. From the Take action drop-down list, select Allow request (Whitelist). This removes protection for this user. 25. Click Next. The Scope of Search window appears. Applicure 88 of 88

89 FAQs and Troubleshooting 26. In the Apply to specific URI field, enter the page or path that this user can access. This is defined using a regular expression. For further information, see Regular Expressions. 27. Click Next. The Completing the New Rule Wizard window appears. This rule allows access to My_Secret_Page.asp to the Windows user "Some_user" How do I enable updates to work through a firewall? Open port 80 in the firewall for the following addresses: services.installshield.com updates.applicure.com How do I change the database size limit (Windows)? The dotdefender Log Service (aclogsvc), checks the database (aclogsvc.ddb) every 500 events (Registry key: LogTruncateCheckFrequency). If the number of events reaches 15,000 (Registry key: LogTruncateMaxCount) it deletes 10% of the items in the database (Registry key: LogTruncateCountDivider), while using the First In First Out method (deleting old events first). Applicure 89 of 89

90 FAQs and Troubleshooting FAQs Each event (Record) logged in the database is limited to approximately 64 KB. Potentially the size of the database can reach approximately 1 GB, when using the default values: 64 KB * 15,000 = ~ 1 GB. The parameters are configurable in the registry: [HKEY_LOCAL_MACHINE\SOFTWARE\Applicure\dotDefender\aclogsvc] "LogTruncateCheckFrequency"= 500 "LogTruncateMaxCount"=15000 "LogTruncateCountDivider"=10 Make these changes in the registry and then restart dotdefender Log Service for the settings to take effect How do I change the database size limit (Linux)? dotdefender log service checks the database(dotdefender_db.sqlite) every 500 events. If the number of events reaches 60,000, retains 90% of the items in the database (54,000 events), while using the First In First Out method (deleting old events first). This values can be edited in the /usr/local/appcure/etc/dotdefender_logd.conf file, Where "HIGH" stands for maximal number of events, "LOW" for number of events retained after deletion, and "SLEEP" for time (In seconds) to wait before checking database limit What is a bad User-Agent and why does dotdefender block certain browsers? A User-Agent is an HTTP header, containing a string identifying the software being used by the client to connect to the Website. For example, this might be Internet Explorer, Mozilla Firefox, Nokia, or Motorola cellular phones. The Bad User-Agents database is a very effective mechanism for distinguishing legitimate surfers from automatic, malicious tools meant for scanning and attacking the Website. There are borderline situations where a component that has been used by malicious software is also used in legitimate software, especially in auto scripts and bots, for example, Indy library. In this case, see How do I let one "good" User-Agent pass through? Applicure 90 of 90

91 FAQs and Troubleshooting How do I let one "good" User-Agent pass through? Sometimes there is a borderline situation where an automatic tool is essential and harmless to the Website. In this case, you can use the Whitelist to allow a specific User- Agent through by defining this User-Agent string under User-Agent header. 28. Create a new rule (see Adding User-Defined Rules). The Rule Type window appears. 29. Select Search in User-Agent header, and click Next. The Create pattern window appears. Applicure 91 of 91

92 FAQs and Troubleshooting FAQs 30. In the Pattern to search field, enter the User-Agent string (preferably under a specific URL only) How do I remove the database when it is taking up too much space? See Deleting the dotdefender Log Database File What is a Proxy attack? A proxy attack is an attempt to use your web server as a jumping point to attack other sites. Your web server then attacks other sites How do I turn a False Positive into a Whitelist Rule? See Adding User-Defined Rules Does a User-Defined rule still undergo inspection? In the Create Pattern window, you can define the policy as: Deny: dotdefender for IIS denies this HTTP request. Allow: dotdefender for IIS stops checking the HTTP request, and allows it to enter the server. Pass: dotdefender for IIS monitors this request, without intervening I am upgrading. How do I back up the rule set (Windows)? You can only back up the Default Security Profile. Central Management allows Default Security Profile replication between different servers. 31. In the Registry, HKEY_LOCAL_MACHINE\SOFTWARE\Applicure\dotDefender.effective > Sites > 0, 0 represents the Default Security Profile. 32. Right-click and select Export. 33. Save the file as type.backup 34. After you have upgraded, double-click the backup file, and when prompted to export the file, click Yes. Applicure 92 of 92

93 FAQs and Troubleshooting I am upgrading. What should I backup (Linux)? Simply copy the folder /usr/local/appcure/etc, which contains all the information needed such as configuration files, logs and license file. After the upgrade copy the backup to the same directory on the server How do I clear the Event Log? See Clearing the Applicure Windows Event Log I have scripts on a Website that are blocked for usage by end-users. How do I allow the scripts to run? See Modifying Best Practices. Note: If this method does not work, select Patterns > Windows Directories and Files > Best Practices > Test Scripts, and select Disable. 35. In the required profile, select Patterns > Windows Directories and Files > Best Practices > Test Scripts. 36. Click Edit. The Rule Properties window appears. 37. In the URI field, enter the directory (URI) that should not be blocked. 38. From the Action drop-down list, select Allow. 39. Select No log. 40. Click OK. 41. Click to apply the changes I have a content upload page, and I cannot upload new content. 42. In the Log Viewer, click the Search icon. 43. Select Reference ID and enter the Reference ID that you received on the Error Page. 44. Click Search. The URL of the upload page appears. Applicure 93 of 93

94 Regular Expressions Troubleshooting 45. Focus specifically on the categories Classic SQL, SQL Comments, and any category of Cross Site Scripting. 46. Examine the Log Viewer for any alerts for these categories. 47. Notice the URL of the content upload page. 48. Create a User-Defined rule for SQL and Cross Site Scripting for this site. See Adding User-Defined Rules. 8.2 Troubleshooting This section describes errors and how to solve them. The action(s) to be taken to resolve each problem are provided in the order of priority. To resolve each problem, start with step one and continue to the next until the problem is solved System Requirements dotdefender supports IIS Servers web servers 5.x and higher. dotdefender supports the following operating systems: Windows 2008 Windows 2003: Service Pack 1 and the latest Windows updates Applicure 94 of 94

95 Regular Expressions 9 Regular Expressions dotdefender supports regular and extended regular expressions. This chapter contains the following sections: POSIX Basic Regular Expressions POSIX Extended Regular Expressions 9.1 POSIX Basic Regular Expressions Expression Description. Matches any single character. For example, a.c matches "abc", etc., but [a.c] matches only "a", ".", or "c". [ ] A bracket expression. Matches a single character that is contained within the brackets. For example, [abc] matches "a", "b", or "c". [a-z] specifies a range which matches any lowercase letter from "a" to "z". These forms can be mixed: [abcx-z] matches "a", "b", "c", "x", "y", or "z", as does [a-cx-z]. [^ ] Matches a single character that is not contained within the brackets. For example, [^abc] matches any character other than "a", "b", or "c". [^a-z] matches any single character that is not a lowercase letter from "a" to "z". ^ Matches the starting position within the string. $ Matches the ending position of the string or the position just before a string-ending newline. Applicure 95 of 95

96 Regular Expressions POSIX Extended Regular Expressions Expression Description \( \) Defines a marked subexpression. The string matched within the parentheses can be recalled later (see the next entry, \n). \n Matches what the nth marked subexpression matched, where n is a digit from 1 to 9. * Matches the preceding element zero or more times. For example, ab*c matches "ac", "abc", "abbbc", etc. [xyz]* matches "", "x", "y", "z", "zx", "zyx", "xyzzy", and so on. \(ab\)* matches "", "ab", "abab", "ababab", and so on. \{m,n\} Matches the preceding element at least m and not more than n times. For example, a\{3,5\} matches only "aaa", "aaaa", and "aaaaa". 9.2 POSIX Extended Regular Expressions POSIX Perl ASCII Description [:alnum:] [A-Za-z0-9] Alphanumeric characters [:word:] \w [A-Za-z0-9_] Alphanumeric characters plus "_" \W [^\w] non-word character [:alpha:] [A-Za-z] Alphabetic characters [:blank:] [ \t] Space and tab [:cntrl:] [\x00-\x1f\x7f] Control characters [:digit:] \d [0-9] Digits Applicure 96 of 96

97 Regular Expressions POSIX Perl ASCII Description \D [^\d] non-digit [:graph:] [\x21-\x7e] Visible characters [:lower:] [a-z] Lowercase letters [:print:] [\x20-\x7e] Visible characters and spaces [:punct:] }~] Punctuation characters [:space:] \s [ \t\r\n\v\f] Whitespace characters \S [^\s] non-whitespace character [:upper:] [A-Z] Uppercase letters [:xdigit:] [A-Fa-f0-9] Hexadecimal digits If you need support or have any questions during the deployment process, please feel free to contact us at: Applicure Technologies Ltd. USA: UK: Applicure 97 of 97

98 Appendix Specific Windows files and features 10 Appendix This chapter contains the following sections: Specific Windows files and features Specific Linux/Unix files and features 10.1 Specific Windows files and features Managing dotdefender Events in the Windows Event Viewer This section includes the following topics: dotdefender Windows Event logs Overview Viewing Applicure Events Viewing dotdefender Audit Events Setting the Event Log Size Saving the Applicure Windows Event Log Clearing the Applicure Windows Event Log dotdefender Windows Event logs Overview Note: To enable server wide logging to Windows Event Logs, see Enabling / Disabling Logging to Windows Event Logs dotdefender adds the following branches to the Windows Event Viewer: Applicure: Records security events. dotdefender Audit: Records dotdefender filter status. Applicure 98 of 98

99 Appendix Viewing Applicure Events The Applicure branch contains dotdefender security events. To view Applicure events: 1. In the left pane of the Administration Console, expand Event Viewer (Local) and select Applicure. 2. Double-click or right-click an event and select Properties. The Information Properties window appears. Applicure 99 of 99

100 Appendix Specific Windows files and features The information for each attack includes the following: Date and Time Source of event Category and type of event Event ID User Computer (server) Description of attack with Rule Category and sub-category IP address of attack Destination URL Request Method Name of Security Profile Matched Pattern Substring that caused error HTTP Headers, such as User Agent and Cookie HTTP Body Viewing dotdefender Audit Events Overview dotdefender keeps two audit trace logs that reflect the status and policy changes in the security policy of each website as required by the PCI regulation. These status messages are divided into two logs: 1. dotdefenderaudit Windows Event Log ISAPI filter status 2. Policy Change Log All changes made via dotdefender Administration Console (See Viewing policy changes in the audit log file) dotdefenderaudit is a watchdog service that polls dotdefender for any status changes. The information on any change in Operating Mode includes the date and time of change, designating dotdefenderaudit as the source, the Event ID, and the computer. Applicure 100 of 100

101 Appendix To view detailed dotdefenderaudit events: 1. In the left pane of the Administration Console, open Event Viewer (Local) and select dotdefenderaudit. 2. Double-click or right-click an event. The right pane expands to show the Audit events. 3. Select Properties to display an explanation of the event Setting the Event Log Size To set the Event log size: 1. In the left pane of the Administration Console, open Event Viewer (Local). Applicure 101 of 101

102 Appendix Specific Windows files and features 2. Right-click on dotdefenderaudit or Applicure, and select Properties. 3. Set the Maximum log size. 4. The overwrite options in the When maximum log size is reached area specify what happens when the log size limit is reached. Select one of the following options: Overwrite events as needed: When the log is full, the newest event replaces the oldest event. Overwrite events older than days: Specifies the number of days before a log can be overwritten. Do not overwrite events (clear log manually): If the maximum log file is reached, new events are discarded. 5. Click OK. The log file settings are changed. Applicure 102 of 102

103 Appendix Saving the Applicure Windows Event Log You can export the log for troubleshooting purposes. To save the Applicure Windows Event Log: 1. In the left pane of the Administration Console, open Event Viewer (Local). 2. Right-click on dotdefenderaudit or Applicure, and select Save Log File As Enter a name for your file and set the file type to.evt (Event Log) Clearing the Applicure Windows Event Log To clear the Applicure Windows Event Log: 1. In the left pane of the Administration Console, open Event Viewer (Local). 2. Right-click on dotdefenderaudit or Applicure and select Clear all Events. The events are cleared and the right pane no longer displays events Manually creating dotdefender virtual directory When installing dotdefender, the installation attempts to create a virtual directory under the Default Web Site. If the Default Web Site does not exist, the virtual directory should be created manually, by following the procedure below. This procedure contains the following sections: Creating dotdefender virtual directory in a specified web site Adding a new Web Service Extension Creating dotdefender virtual directory in a specified web site To create the virtual directory manually on a specified site, follow the instructions below: Applicure 103 of 103

104 Appendix Specific Windows files and features 1. Open IIS manager 2. Expand Websites 3. Right click the site where the virtual directory should be installed 4. Select New Virtual Directory 5. Click Next 6. In the Alias field, type: dotdefender and click Next Applicure 104 of 104

105 Appendix 7. In the Path field, enter the path to the cgi-bin directory under the dotdefender installation directory and click Next Applicure 105 of 105

106 Appendix Specific Windows files and features 8. In the Virtual Directory Access Permissions page, select Read and Execute (such as ISAPI applications or CGI) and click Next 9. Click Finish 10. Right click the newly created dotdefender virtual directory and select Properties 11. In the Virtual Directory tab, under Application settings, click Configuration 12. In the Mappings tab, under Application Extensions, click Add 13. In the Executable field, enter the path to the file dotdefenderws.exe which is located in the cgi-bin directory of the dotdefender installation directory. Typically: C:\Program Files\Applicure\dotDefender for IIS\cgi-bin\dotDefenderWS.exe. Add quote signs at the beginning and end of the path. 14. In the Extension field, type:.exe (Including the dot) 15. Remove the selection from the option: Script engine 16. Verify the following option is selected: Verify that file exists 17. Optional (For security reasons): Select the Limit to radio button and type: POST,HEAD,GET Applicure 106 of 106

107 Appendix 18. Click OK to close the Add/Edit Application Extension Mapping window 19. Click OK to close the Application Configuration window 20. In the Directory Security tab, under Authentication and access control, click Edit 21. Remove the selection from the option Enable anonymous connection 22. In the Authentication access section, select Integrated Windows authentication 23. Click OK to close the Authentication Methods window Applicure 107 of 107

dotdefender v5.18 User Guide

dotdefender v5.18 User Guide dotdefender v5.18 User Guide Applicure Web Application Firewall Table of Contents 1. Introduction... 5 1.1 Overview... 5 1.2 Components... 6 1.3 Benefits... 7 1.4 Organization of this Guide... 8 2. Getting

More information

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities Ethical Hacking and Countermeasures: Web Chapter 3 Web Application Vulnerabilities Objectives After completing this chapter, you should be able to: Understand the architecture of Web applications Understand

More information

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report. Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.

More information

C1: Define Security Requirements

C1: Define Security Requirements OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security

More information

KYOCERA Net Admin User Guide

KYOCERA Net Admin User Guide KYOCERA Net Admin User Guide Legal Notes Unauthorized reproduction of all or part of this guide is prohibited. The information in this guide is subject to change without notice. We cannot be held liable

More information

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Application Security through a Hacker s Eyes James Walden Northern Kentucky University Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways

More information

Solutions Business Manager Web Application Security Assessment

Solutions Business Manager Web Application Security Assessment White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security

More information

GFI MailSecurity 2011 for Exchange/SMTP. Administration & Configuration Manual

GFI MailSecurity 2011 for Exchange/SMTP. Administration & Configuration Manual GFI MailSecurity 2011 for Exchange/SMTP Administration & Configuration Manual http://www.gfi.com info@gfi.com The information and content in this document is provided for informational purposes only and

More information

ForeScout Extended Module for Carbon Black

ForeScout Extended Module for Carbon Black ForeScout Extended Module for Carbon Black Version 1.0 Table of Contents About the Carbon Black Integration... 4 Advanced Threat Detection with the IOC Scanner Plugin... 4 Use Cases... 5 Carbon Black Agent

More information

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006 SPOOFING Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1 Learning Objectives Students should be able to: Determine relevance of

More information

Configuring User Defined Patterns

Configuring User Defined Patterns The allows you to create customized data patterns which can be detected and handled according to the configured security settings. The uses regular expressions (regex) to define data type patterns. Custom

More information

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015 INF3700 Informasjonsteknologi og samfunn Application Security Audun Jøsang University of Oslo Spring 2015 Outline Application Security Malicious Software Attacks on applications 2 Malicious Software 3

More information

Configuring attack detection and prevention 1

Configuring attack detection and prevention 1 Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack

More information

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications

More information

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing

More information

BIG-IP Application Security Manager : Getting Started. Version 12.1

BIG-IP Application Security Manager : Getting Started. Version 12.1 BIG-IP Application Security Manager : Getting Started Version 12.1 Table of Contents Table of Contents Introduction to Application Security Manager...5 What is Application Security Manager?...5 When to

More information

Unified CCX Administration Web Interface

Unified CCX Administration Web Interface The Unified CCX provides a multimedia (voice, data, and web) IP-enabled customer-care application environment, using VoIP technology that allows your Cisco Unified Communications network to share resources

More information

BIG-IP Application Security Manager : Attack and Bot Signatures. Version 13.0

BIG-IP Application Security Manager : Attack and Bot Signatures. Version 13.0 BIG-IP Application Security Manager : Attack and Bot Signatures Version 13.0 Table of Contents Table of Contents Assigning Attack Signatures to Security Policies...5 About attack signatures...5 About

More information

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

CIS 700/002 : Special Topics : OWASP ZED (ZAP) CIS 700/002 : Special Topics : OWASP ZED (ZAP) Hitali Sheth CIS 700/002: Security of EMBS/CPS/IoT Department of Computer and Information Science School of Engineering and Applied Science University of

More information

Web Application Security. Philippe Bogaerts

Web Application Security. Philippe Bogaerts Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security

More information

ForeScout Extended Module for VMware AirWatch MDM

ForeScout Extended Module for VMware AirWatch MDM ForeScout Extended Module for VMware AirWatch MDM Version 1.7.2 Table of Contents About the AirWatch MDM Integration... 4 Additional AirWatch Documentation... 4 About this Module... 4 How it Works... 5

More information

Interface Reference. McAfee Application Control Windows Interface Reference Guide. Add Installer page. (McAfee epolicy Orchestrator)

Interface Reference. McAfee Application Control Windows Interface Reference Guide. Add Installer page. (McAfee epolicy Orchestrator) McAfee Application Control 8.1.0 - Windows Interface Reference Guide (McAfee epolicy Orchestrator) Interface Reference Add Installer page Add an existing installer to the McAfee epo repository. Table 1

More information

NETWRIX ACTIVE DIRECTORY CHANGE REPORTER

NETWRIX ACTIVE DIRECTORY CHANGE REPORTER NETWRIX ACTIVE DIRECTORY CHANGE REPORTER ADMINISTRATOR S GUIDE Product Version: 7.2 January 2013. Legal Notice The information in this publication is furnished for information use only, and does not constitute

More information

DreamFactory Security Guide

DreamFactory Security Guide DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit

More information

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51 Acknowledgments Introduction Part I: The Basics in Depth 1 Chapter 1: Windows Attacks 3 Attack Classes 3 Automated versus Dedicated Attacker 4 Remote versus Local 7 Types of Attacks 8 Dedicated Manual

More information

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer. Application Layer Attacks Application Layer Attacks Week 2 Part 2 Attacks Against Programs Application Layer Application Layer Attacks come in many forms and can target each of the 5 network protocol layers

More information

Dell SonicWALL Secure Mobile Access 8.5. Web Application Firewall Feature Guide

Dell SonicWALL Secure Mobile Access 8.5. Web Application Firewall Feature Guide Dell SonicWALL Secure Mobile Access 8.5 Copyright 2016 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. Dell, the Dell logo,

More information

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma Indian Computer Emergency Response Team ( CERT - IN ) Department Of Information Technology 1 Agenda Introduction What are Web Applications?

More information

Legal Notes. Regarding Trademarks KYOCERA MITA Corporation

Legal Notes. Regarding Trademarks KYOCERA MITA Corporation Legal Notes Unauthorized reproduction of all or part of this guide is prohibited. The information in this guide is subject to change without notice. We cannot be held liable for any problems arising from

More information

Kaspersky Security for Windows Server

Kaspersky Security for Windows Server Kaspersky Security for Windows Server User's Guide Application version: 10.1.0.622 Dear User, Thank you for choosing Kaspersky Lab as your security software provider. We hope that this document helps you

More information

Imperva Incapsula Website Security

Imperva Incapsula Website Security Imperva Incapsula Website Security DA T A SH E E T Application Security from the Cloud Imperva Incapsula cloud-based website security solution features the industry s leading WAF technology, as well as

More information

Cisco Service Control Service Security: Outgoing Spam Mitigation Solution Guide, Release 4.1.x

Cisco Service Control Service Security: Outgoing Spam Mitigation Solution Guide, Release 4.1.x CISCO SERVICE CONTROL SOLUTION GUIDE Cisco Service Control Service Security: Outgoing Spam Mitigation Solution Guide, Release 4.1.x 1 Introduction and Scope 2 Functionality Overview 3 Mass-Mailing-Based

More information

Hackveda Training - Ethical Hacking, Networking & Security

Hackveda Training - Ethical Hacking, Networking & Security Hackveda Training - Ethical Hacking, Networking & Security Day1: Hacking windows 7 / 8 system and security Part1 a.) Windows Login Password Bypass manually without CD / DVD b.) Windows Login Password Bypass

More information

Vulnerability Validation Tutorial

Vulnerability Validation Tutorial Vulnerability Validation Tutorial Last updated 01/07/2014-4.8 Vulnerability scanning plays a key role in the vulnerability management process. It helps you find potential vulnerabilities so that you can

More information

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS Pass4sure.500-285.42q Number: 500-285 Passing Score: 800 Time Limit: 120 min File Version: 6.1 Cisco 500-285 Securing Cisco Networks with Sourcefire IPS I'm quite happy to announce that I passed 500-285

More information

Using Your New Webmail

Using Your New Webmail Using Your New Webmail Table of Contents Composing a New Message... 2 Adding Attachments to a Message... 4 Inserting a Hyperlink... 6 Searching For Messages... 8 Downloading Email from a POP3 Account...

More information

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability

More information

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,

More information

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall F5 White Paper Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall Organizations need an end-to-end web application and database security solution to protect data, customers,

More information

release notes effective version 10.3 ( )

release notes effective version 10.3 ( ) Introduction We are pleased to announce that Issuetrak 10.3 is available today! 10.3 focuses on improved security, introducing a new methodology for storing passwords. This document provides a brief outline

More information

Application security : going quicker

Application security : going quicker Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF

More information

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security. Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language

More information

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005 85 Grove Street - Peterboro ugh, N H 0345 8 voice 603-924-6 079 fax 60 3-924- 8668 CN!Express CX-6000 Single User Version 3.38.4.4 PCI Compliance Status Version 1.0 28 June 2005 Overview Auric Systems

More information

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in 1 This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in terms of prevalence (how much the vulnerability is widespread),

More information

CONTENTS IN DETAIL INTRODUCTION 1 THE FAQS OF LIFE THE SCRIPTS EVERY PHP PROGRAMMER WANTS (OR NEEDS) TO KNOW 1 2 CONFIGURING PHP 19

CONTENTS IN DETAIL INTRODUCTION 1 THE FAQS OF LIFE THE SCRIPTS EVERY PHP PROGRAMMER WANTS (OR NEEDS) TO KNOW 1 2 CONFIGURING PHP 19 CONTENTS IN DETAIL INTRODUCTION xiii 1 THE FAQS OF LIFE THE SCRIPTS EVERY PHP PROGRAMMER WANTS (OR NEEDS) TO KNOW 1 #1: Including Another File as a Part of Your Script... 2 What Can Go Wrong?... 3 #2:

More information

Sophos Mobile as a Service

Sophos Mobile as a Service startup guide Product Version: 8 Contents About this guide... 1 What are the key steps?... 2 Change your password... 3 Change your login name... 4 Activate Mobile Advanced licenses...5 Check your licenses...6

More information

ForeScout Extended Module for MaaS360

ForeScout Extended Module for MaaS360 Version 1.8 Table of Contents About MaaS360 Integration... 4 Additional ForeScout MDM Documentation... 4 About this Module... 4 How it Works... 5 Continuous Query Refresh... 5 Offsite Device Management...

More information

Logging. About Logging. This chapter describes how to log system messages and use them for troubleshooting.

Logging. About Logging. This chapter describes how to log system messages and use them for troubleshooting. This chapter describes how to log system messages and use them for troubleshooting. About, page 1 Guidelines for, page 7 Configure, page 8 Monitoring the Logs, page 26 History for, page 29 About System

More information

HP Sygate Security Agent 4.0 User Guide

HP Sygate Security Agent 4.0 User Guide HP Sygate Security Agent 4.0 User Guide Documentation Build 1004 Published: May 1, 2005 Copyright Information Copyright 2003-2005 by Sygate Technologies, Inc. All rights reserved. No part of this document

More information

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14 Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.

More information

Threat Landscape 2017

Threat Landscape 2017 Pattern Recognition and Applications Lab WEB Security Giorgio Giacinto giacinto@diee.unica.it Computer Security 2018 Department of Electrical and Electronic Engineering University of Cagliari, Italy Threat

More information

Telephony Toolbar Enterprise. User Guide

Telephony Toolbar Enterprise. User Guide Telephony Toolbar Enterprise User Guide Release 4.4 October 2009 Table of Contents 1 Summary of Changes... 7 1.1 Changes for this Release... 7 2 About This Guide... 8 2.1 Open Telephony Toolbar-Corporate...

More information

Configuring attack detection and prevention 1

Configuring attack detection and prevention 1 Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack

More information

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

PASS4TEST. IT Certification Guaranteed, The Easy Way!   We offer free update service for one year PASS4TEST IT Certification Guaranteed, The Easy Way! \ http://www.pass4test.com We offer free update service for one year Exam : 156-210 Title : Check Point CCSA NG Vendors : CheckPoint Version : DEMO

More information

Sophos Mobile SaaS startup guide. Product version: 7.1

Sophos Mobile SaaS startup guide. Product version: 7.1 Sophos Mobile SaaS startup guide Product version: 7.1 Contents 1 About this guide...4 2 What are the key steps?...5 3 Change your password...6 4 Change your login name...7 5 Activate SMC Advanced licenses...8

More information

EasyCrypt passes an independent security audit

EasyCrypt passes an independent security audit July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored

More information

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government

More information

Copyright

Copyright 1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?

More information

NETWRIX GROUP POLICY CHANGE REPORTER

NETWRIX GROUP POLICY CHANGE REPORTER NETWRIX GROUP POLICY CHANGE REPORTER ADMINISTRATOR S GUIDE Product Version: 7.2 November 2012. Legal Notice The information in this publication is furnished for information use only, and does not constitute

More information

Application vulnerabilities and defences

Application vulnerabilities and defences Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database

More information

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0 BIG-IP Access Policy Manager : Secure Web Gateway Version 13.0 Table of Contents Table of Contents BIG-IP APM Secure Web Gateway Overview...9 About APM Secure Web Gateway... 9 About APM benefits for web

More information

What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1

What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1 What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1 PB478675 Product Overview The Cisco ACE Application Control Engine 4710 represents the next generation of application switches

More information

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand

More information

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1 Agenda Current scenario in Web Application

More information

ForeScout Extended Module for MobileIron

ForeScout Extended Module for MobileIron Version 1.8 Table of Contents About MobileIron Integration... 4 Additional MobileIron Documentation... 4 About this Module... 4 How it Works... 5 Continuous Query Refresh... 5 Offsite Device Management...

More information

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing. R (2) N (5) Oral (3) Total (10) Dated Sign Experiment No: 1 Problem Definition: Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing. 1.1 Prerequisite:

More information

CIS 4360 Secure Computer Systems XSS

CIS 4360 Secure Computer Systems XSS CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection

More information

WebGoat Lab session overview

WebGoat Lab session overview WebGoat Lab session overview Initial Setup Virtual Machine Tamper Data Web Goat Basics HTTP Basics Sniffing Web server attacks SQL Injection XSS INITIAL SETUP Tamper Data Hold alt to reveal the menu in

More information

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew

More information

Cisco Next Generation Firewall Services

Cisco Next Generation Firewall Services Toronto,. CA May 30 th, 2013 Cisco Next Generation Firewall Services Eric Kostlan Cisco Technical Marketing 2011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 1 Objectives At the

More information

Endpoint Security Manager

Endpoint Security Manager Comodo Endpoint Security Manager Software Version 1.6 CIS Configuration Editor Version 1.6.010511 Comodo Security Solutions 1255 Broad Street STE 100 Clifton, NJ 07013 Table of Contents 1.Introduction

More information

An Overview of Webmail

An Overview of Webmail An Overview of Webmail Table of Contents What browsers can I use to view my mail? ------------------------------------------------------- 3 Email size and storage limits -----------------------------------------------------------------------

More information

Mastering phpmyadmiri 3.4 for

Mastering phpmyadmiri 3.4 for Mastering phpmyadmiri 3.4 for Effective MySQL Management A complete guide to getting started with phpmyadmin 3.4 and mastering its features Marc Delisle [ t]open so 1 I community experience c PUBLISHING

More information

How can you integrate Agiloft with Single Sign-On providers? What is Two-Factor Authentication and how is it used with Agiloft?

How can you integrate Agiloft with Single Sign-On providers? What is Two-Factor Authentication and how is it used with Agiloft? Unit 20: Security Questions Covered What forms of security are offered by Agiloft? How can you integrate Agiloft with Single Sign-On providers? What is Two-Factor Authentication and how is it used with

More information

RiskSense Attack Surface Validation for Web Applications

RiskSense Attack Surface Validation for Web Applications RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment

More information

Citrix NetScaler Basic and Advanced Administration Bootcamp

Citrix NetScaler Basic and Advanced Administration Bootcamp Citrix NetScaler Basic and Advanced Administration Bootcamp Duration: 6.00 Days Course Code: NETBC Overview: This boot camp covers the initial configuration and administration of Citrix NetScaler 9.2.

More information

Kaspersky Security for Windows Server

Kaspersky Security for Windows Server Kaspersky Security for Windows Server User's Guide Application version: 10.1.1.746 Dear User, Thank you for choosing Kaspersky Lab as your security software provider. We hope that this document helps you

More information

BIG-IP Analytics: Implementations. Version 13.1

BIG-IP Analytics: Implementations. Version 13.1 BIG-IP Analytics: Implementations Version 13.1 Table of Contents Table of Contents Setting Up Application Statistics Collection...5 What is Analytics?...5 About HTTP Analytics profiles... 5 Overview:

More information

Solution Composer. User's Guide

Solution Composer. User's Guide Solution Composer User's Guide January 2014 www.lexmark.com Contents 2 Contents Overview...4 Understanding the basics...4 System recommendations...5 Building custom solutions...6 Getting started...6 Step

More information

Snort Rules Classification and Interpretation

Snort Rules Classification and Interpretation Snort Rules Classification and Interpretation Pop2 Rules: Class Type Attempted Admin(SID: 1934, 284,285) GEN:SID 1:1934 Message POP2 FOLD overflow attempt Summary This event is generated when an attempt

More information

AppSpider Enterprise. Getting Started Guide

AppSpider Enterprise. Getting Started Guide AppSpider Enterprise Getting Started Guide Contents Contents 2 About AppSpider Enterprise 4 Getting Started (System Administrator) 5 Login 5 Client 6 Add Client 7 Cloud Engines 8 Scanner Groups 8 Account

More information

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

Survey of Cyber Moving Targets. Presented By Sharani Sankaran Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber moving target technique refers to any technique that attempts to defend a system and increase the complexity of

More information

Installing and Configuring Worldox/Web Mobile

Installing and Configuring Worldox/Web Mobile Installing and Configuring Worldox/Web Mobile SETUP GUIDE v 1.1 Revised 6/16/2009 REVISION HISTORY Version Date Author Description 1.0 10/20/2008 Michael Devito Revised and expanded original draft document.

More information

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11 RBS-2018-004 NetGain Enterprise Manager Multiple Vulnerabilities 2018-03-22 1 of 11 Table of Contents Vendor / Product Information 3 Vulnerable Program Details 3 Credits 3 Impact 3 Vulnerability Details

More information

BIG-IP Application Security Manager : Implementations. Version 13.0

BIG-IP Application Security Manager : Implementations. Version 13.0 BIG-IP Application Security Manager : Implementations Version 13.0 Table of Contents Table of Contents Preventing DoS Attacks on Applications... 13 What is a DoS attack?...13 About recognizing DoS attacks...

More information

ForeScout Extended Module for Symantec Endpoint Protection

ForeScout Extended Module for Symantec Endpoint Protection ForeScout Extended Module for Symantec Endpoint Protection Version 1.0.0 Table of Contents About the Symantec Endpoint Protection Integration... 4 Use Cases... 4 Additional Symantec Endpoint Protection

More information

Configuring BIG-IP ASM v12.1 Application Security Manager

Configuring BIG-IP ASM v12.1 Application Security Manager Course Description Configuring BIG-IP ASM v12.1 Application Security Manager Description The BIG-IP Application Security Manager course gives participants a functional understanding of how to deploy, tune,

More information

Community Edition Getting Started Guide. July 25, 2018

Community Edition Getting Started Guide. July 25, 2018 Community Edition Getting Started Guide July 25, 2018 Copyright 2018 by Qualys, Inc. All Rights Reserved. Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks are the

More information

Chapter 5: Vulnerability Analysis

Chapter 5: Vulnerability Analysis Chapter 5: Vulnerability Analysis Technology Brief Vulnerability analysis is a part of the scanning phase. In the Hacking cycle, vulnerability analysis is a major and important part. In this chapter, we

More information

How to Configure Authentication and Access Control (AAA)

How to Configure Authentication and Access Control (AAA) How to Configure Authentication and Access Control (AAA) Overview The Barracuda Web Application Firewall provides features to implement user authentication and access control. You can create a virtual

More information

Cox Business Online Backup Administrator Guide. Version 2.0

Cox Business Online Backup Administrator Guide. Version 2.0 Cox Business Online Backup Administrator Guide Version 2.0 2012 by Cox Communications. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic,

More information

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components CNIT 129S: Securing Web Applications Ch 10: Attacking Back-End Components Injecting OS Commands Web server platforms often have APIs To access the filesystem, interface with other processes, and for network

More information

Roxen Content Provider

Roxen Content Provider Roxen Content Provider Generation 3 Templates Purpose This workbook is designed to provide a training and reference tool for placing University of Alaska information on the World Wide Web (WWW) using the

More information

Vulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database

Vulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database Case Study 2018 Solution/Service Title Vulnerability Management & Vulnerability Assessment Client Industry Cybersecurity, Vulnerability Assessment and Management, Network Security Client Overview Client

More information

Lecture Overview. IN5290 Ethical Hacking

Lecture Overview. IN5290 Ethical Hacking Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp

More information

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp

More information

I, J, K. Lightweight directory access protocol (LDAP), 162

I, J, K. Lightweight directory access protocol (LDAP), 162 Index A Access Control, 183 Administration console, 17 home page, 17 managing instances, 19 managing requests, 18 managing workspaces, 19 monitoring activity, 19 Advanced security option (ASO), 58, 262

More information

Integrate Apache Web Server

Integrate Apache Web Server Publication Date: January 13, 2017 Abstract This guide helps you in configuring Apache Web Server and EventTracker to receive Apache Web server events. The detailed procedures required for monitoring Apache

More information

WHAT S NEW WITH OBSERVEIT: INSIDER THREAT MANAGEMENT VERSION 6.5

WHAT S NEW WITH OBSERVEIT: INSIDER THREAT MANAGEMENT VERSION 6.5 WHAT S NEW WITH OBSERVEIT: INSIDER THREAT MANAGEMENT VERSION 6.5 ObserveIT s award-winning insider threat management software combines user monitoring, behavioral analytics, and now policy enforcement

More information